North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: motivating security, was Re: Every incident...

  • From: John Bittenbender
  • Date: Wed Feb 14 01:10:33 2007
  • Domainkey-signature: a=rsa-sha1; c=nofws;; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=T/HRQDVXBEdsJTWve5A03kNj/DT0jjHt2X2sqIAAPdWp6iDmKpeBf4EDppYDbxALhE/RSKtvxfUKRhBD77cRQHQdl2eTebgv9DVQcV51pCBQn2dIJND+rDSdliHM3a+DLDFfb0FufJVlBR3qTLcq4vXeJrupicFSeP6GeWEAkys=

On 2/12/07, Per Heldal <[email protected]> wrote:

On Mon, 2007-02-12 at 09:06 -0500, Edward Lewis wrote:
> I've worked in security for some time, not that it makes me an expert
> but I have seen how it is promoted/advertised.
> On Feb/12/07, someone wrote:
> >Consumers are cheap and lazy.
> I think that is the wrong place to start.  It isn't the consumer's
> fault that they have a device more dangerous than they think.  Look
> at what the are being sold - a device to store memories, a device to
> entertain them, a device to connect with people they want to talk to.
> Everyone economizes on what they think is unimportant.  A consumer
> doesn't care for the software, they care for the person on the other
> side of the connection.  They care about the colors in the office,
> the taste of the food, etc.  So it may appear they "low-ball" that
> part of the computer equation.
> My point is that it is convenient to blame this on the consumers when
> the problem is that the technology is still just half-baked.
> >What they need is a serious incentive to care about security.
> I find this to be a particularly revolting thought with regards to
> security.  Security is never something I should want, it is always
> something I have to have.  Not "need" but something I am resigned to
> have to have.  This is like saying "folks will have to die before a
> traffic signal is put here" or "more planes will have to be taken by
> hijackers before the TSA is given the funding it needs."  Security
> shouldn't wait for a disaster to promote it - you might as well be
> chasing ambulances.  Security has to resign itself to being
> second-class in the hearts and minds of society.  Security has to be
> provided in response to it's environment and not complain about it's
> lot in life.
> (I realize that this post doesn't say anything about people "dying" -
> I've heard that in other contexts.)

You're missing the point. My suggestion lies along the lines of "follow
the money-trail". I want consumers held responsible so that they in turn
can move the focus to where it belongs; IT vendors.

> >Society holds individuals accountable for many forms of irresponsible
> >behaviour.
> This is true, but individuals are not held entirely accountable.  A
> reckless driver can cause a multi-car accident on an exit ramps and
> cause a tie up for the entire morning rush.  Are the "victims" of
> this compensated?  What about the person who loses a job offer
> because of a missed interview and suffers fallout from that?

The system isn't perfect but does that mean we should ditch all attempts
at regulation. If the no-touch approach towards IT was applied to
traffic and the automotive industry we could just as well drop all
regulation of traffic. No rules, no offences.

If you take the driver = computer operator  argument as valid (pretty close); then here perhaps is the meat of the matter.

A driver is someone that has to pass a test and pay for a license to be able to operate a potentially lethal vehicle. Now while in theory a computer can be lethal, in general it is not.

With the above said in regards to lethality, regarding the costs potentially involved in incorrect operation a computer can be near a car.

Accepting this analogy as true would imply that we should start licensing computer users.

Howerver, given the general non-lethality of a computer coupled with the idea that a computer license could potentially stifle our industry and limit innovation/education. (That kid whose parents might just barely be able to afford a PC might not be able to operate it without a license - two fold problem sales and familiarity) So, in regards to not hurting our collective industry (fiscally or in regards to talent to hire down the line) via regulation and/or financial restrictions like insurance, perhaps we should lobby for a tax break from the federal government for computer use training classes. Make it not-OS-specific, as long as you have taken a class that covers an industry body's recommendation for material you get X dollars back from the federal government.

Tax breaks, IMO, have been proven to be a great incentive for consumers and corporations alike in regards to influencing the public good. Whereas regulation has generally be a stifling influence on innovation and leads to government bloat and overhead.